Splunk Search

Community Activity

Replication and search factors "not met" We have: - Index Cluster Master - Search head cluster (3 nodes) - Index Cluster (3 nodes) - Heavy forwarder (1 node) ... by davidmills Explorer in Splunk Search 03-07-2019 0 2	0	2
Added _meta to default result in double counts. unable to search data using SPL index=test ssp=3538 following search does return the result index=test ssp=*3538 ... by rbal_splunk Splunk Employee in Splunk Search 03-07-2019 0 1	0	1
What's wrong with my eval case statement? What is wrong with this? \| eval Count=case((sourcetype="input1" OR sourcetype="input2") AND index="foo1", "NA" (sou... by ryhluc01 Communicator in Splunk Search 03-07-2019 0 15	0	15
Field extractions aren’t working as expected since upgraded to 7.2.3 Since upgraded to Splunk version 7.2.3, some fields extractions aren’t showing on the searches properly. In particula... by rsantoso_splunk Splunk Employee in Splunk Search 03-07-2019 0 2	0	2
How to merge remaining fields into a multivalue field after dedup'ing one field? Hi, Just as the question says. My current search results in something similar to this: ip device ----------... by russell120 Communicator in Splunk Search 03-07-2019 0 3	0	3
How to plot a timechart from summary index? Hi, I have a summery index with events like this :- 3/06/2019 00:00:00 +0000, search_name=ABCD , search_now=15519168... by splbsm Explorer in Splunk Search 03-07-2019 1 3	1	3
REST Search API with WHERE condition I'm using Splunks REST API to post a search job and then get the results. Ideally I would like to use a where conditi... by someone4321 Explorer in Splunk Search 03-07-2019 0 6	0	6
Query for eventcount I have a lookup file with indexes in it, I want a query i need the eventcount of the indexes mentioned in the lookup ... by VijaySrrie Builder in Splunk Search 03-07-2019 0 2	0	2
Multiple WHERE's in Query I'm trying to write an ANTLR grammar for Splunk queries and an example of the queries that my system receives is as f... by inovexsean Explorer in Splunk Search 03-07-2019 0 4	0	4
Can you help me create a graph for average calculation of execution time field? Hi all, I would like to create a dashboard displaying average transaction time / day / test type. Tests are running... by htomi New Member in Splunk Search 03-07-2019 0 3	0	3
Cisco Config Regex Before I begin work on what is likely to be a multi-day excursion, I wanted to see if this has already been done. I ... by DBattisto Communicator in Splunk Search 03-07-2019 0 6	0	6
Why does dedup command with sortby parameter in base searches produce duplicate results in Splunk 7.1.4? Good morning, I've noticed a strange phenomenon with Splunk Enterprise 7.1.4 base searches and I wanted to see wheth... by andrewtrobec Motivator in Splunk Search 03-07-2019 0 4	0	4
JSON miliseconds not taken from timestamp Hi! I have a json log and dedicated sourcetype for it. Sourcetype looks like this: [json] disabled=false KV_MODE=jso... by przemysaw Explorer in Splunk Search 03-07-2019 0 3	0	3
Help with regex / replace needed Hello, I have the following event: X Mon Mar 4 19:57:48:935 2019 X *** WARNING => MMX 'EGPH5': mm_diagmode set 0 ... by damucka Builder in Splunk Search 03-07-2019 0 2	0	2
Can you help me with the where command? Hello, I use the seatrch below index="" sourcetype="" \| eval Boot_Duration=coalesce('Durée du démarrage ','B... by jip31 Motivator in Splunk Search 03-06-2019 0 16	0	16
About "https://docs.splunk.com/Documentation/Splunk/7.2.3/Data/Configureindex-timefieldextraction#Add_an_entry_to_fields.conf_for_the_new_field". There is following description in this manual. For example, say you're performing a simple <field>::1234 extraction ... by yutaka1005 Builder in Splunk Search 03-06-2019 0 2	0	2
how i can use short for two field? Hello everyone. Want to display the output only for the time which crosses 18 months (earliest time) by rajhemant26 New Member in Splunk Search 03-06-2019 0 2	0	2
Removing Column Headings with Sparkline I have created a search including sparkline: index=_* type="threat" severity="medium" \| stats sparkline count \| ta... by balcv Contributor in Splunk Search 03-06-2019 0 3	0	3
customizing colors of charts Is there any way that I can customize the color of column or bar chart? since I wanted to represent green, yellow and... by mdmaala Communicator in Splunk Search 03-06-2019 0 2	0	2
Pulling multiple Columns from an inputlookup Trying to pull more than one column from an inputlookup. One of the columns maps to a field in the index I am search... by dbturner New Member in Splunk Search 03-06-2019 0 1	0	1
How to create a new field out of some evaluated data? Hello, So here's my Query: index=video-eng-live \| rename message.timestamp as time \| eval time=strftime(time/1000... by moizmmz Path Finder in Splunk Search 03-06-2019 0 6	0	6
How do I obtain counts of search results fields within a head command eval-expression? I have an index with events in it that, among others, have the fields shown at the bottom of this post When I execut... by williamcharlton Path Finder in Splunk Search 03-06-2019 0 5	0	5
How do you do a stats count by a specific field? I'm working on an antivirus correlation rule, and I'm running into a few issues. I want to make sure dest, signature,... by ericl42 Path Finder in Splunk Search 03-06-2019 0 9	0	9
Can you help me with a tstats count using lookup data? Hello, I have the below query trying to produce the event and host count for the last hour. The index & sourcetype ... by ajith_sukumaran Explorer in Splunk Search 03-06-2019 0 6	0	6
How come URLs in my lookup table are not working? Greetings everyone! I have a question concerning a CSV lookup table with domains in it, which sadly does not work. ... by VanyBerg Engager in Splunk Search 03-06-2019 0 1	0	1